Insight generation using personal identifiable information (PII) footprint modeling

ABSTRACT

Aspects of the disclosure relate to information masking. A computing platform may receive, from a user computing device, a request to access information that includes personal identifiable information (PII). The computing platform may retrieve source data comprising the PII and mask, within the source data and based on a data management policy, the PII. The computing platform may send the masked information in response to the request to access the information. The computing platform may receive a request to unmask the masked information and unmask the PII. The computing platform may log the request to unmask the masked information in an unmasking event log and send the unmasked PII in response to the request to unmask the masked information. The computing platform may apply a machine learning model to the unmasking event log to identify malicious events and trigger remediation actions based on identification of the malicious events.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to co-pendingU.S. Application Ser. No. 17/232,517, filed Apr. 16, 2021, and entitled“Insight Generation Using Personal Identifiable Information (PII)Footprint Modeling,” which is incorporated herein by reference in itsentirety.

BACKGROUND

Aspects of the disclosure relate to securely maintaining and controllingaccess to personal identifiable information (PII). In particular, one ormore aspects of the disclosure relate to providing improved PII securityusing machine learning techniques.

In some instances, employees of an enterprise organization may need toaccess PII (e.g., of customers or other individuals) for legitimatebusiness operations of the organization. Such access to PII, however,creates risk of attempts to compromise sensitive PII and/or performother nefarious behaviors/malicious events using the PII. Nevertheless,in some instances, it may be necessary for certain employees to accesscertain PII to perform their job functions and/or to complete certaincustomer requests.

SUMMARY

Aspects of the disclosure provide effective, efficient, scalable, andconvenient technical solutions that address and overcome the technicalproblems associated with enterprise tracking and/or access mechanismsrelated to PII so as to maximize PII safety and security withoutimpeding task completion by employees and/or other legitimate functions.In some instances, this may be accomplished through masking of PII andlogging requests to unmask such PII for malicious event detection inenterprise computing networks. In accordance with one or moreembodiments of the disclosure, a computing platform comprising at leastone processor, a communication interface, and memory storingcomputer-readable instructions may receive, from a user computingdevice, a request to access information that includes personalidentifiable information (PII). The computing platform may retrievesource data comprising the PII. The computing platform may mask, withinthe source data and based on at least one enterprise data managementpolicy, the PII, which may result in masked information. The computingplatform may send the masked information in response to the request toaccess the information. The computing platform may receive a request tounmask the masked information. The computing platform may unmask thePII, which may result in unmasked PII. The computing platform may logthe request to unmask the masked information in an unmasking event log,and may send the unmasked PII in response to the request to unmask themasked information. The computing platform may apply at least onemachine learning model to the unmasking event log to identify one ormore malicious events, and may trigger one or more remediation actionsbased on identification of the one or more malicious events.

In one or more instances, masking the PII may be based on one or moreof: an IP address, a location, or a job title corresponding to a user ofthe user computing device or the user computing device. In one or moreinstances, the computing platform may unmask the PII by sending thecorresponding source data that includes the PII.

In one or more instances, the computing platform may unmask the PII bymodifying the masked information to expose the PII. In one or moreinstances, the computing platform may identify, based on a networkpolicy, whether or not the request to unmask the PII should befulfilled, and unmasking the PII may be performed in response toidentifying that the request to unmask the PII should be fulfilled.

In one or more instances, triggering the one or more remediation actionsmay include modifying the network policy. In one or more instances,modifying the network policy may include revoking access permissions forthe user computing device.

In one or more instances, the access permissions for the user computingdevice may be revoked for a temporary period of time. In one or moreinstances, identifying the one or more malicious events may include: 1)comparing the PII to information that relates to a job title of the userof the user computing device, 2) based on identifying a match betweenthe PII and the information that relates to the job title of the user ofthe user computing device, verifying a non-malicious event; and 3) basedon identifying that the PII does not match the information that relatesto the job title of the user of the user computing device, identifyingthe one or more malicious events.

In one or more instances, identifying the one or more malicious eventsmay include identifying that a number of requests for the PII by theuser computing device exceeds a median number of requests for the PII bya predetermined number of standard deviations, where the requests may beinitiated by other user computing devices corresponding to usersassociated with a particular job title and a user of the user computingdevice may also be associated with the particular job title.

In one or more additional or alternative embodiments, a user devicecomprising at least one processor, a communication interface, and memorystoring computer-readable instructions may receive a request to accessinformation that includes PII. The user device may retrieve source datacomprising the PII. The user device may mask, within the source data andbased on at least one enterprise data management policy, the PII,resulting in masked information. The user device may display the maskedinformation in response to the request to access the information. Theuser device may receive a request to unmask the masked information andmay unmask the PII, resulting in unmasked PII. The user device maydisplay the unmasked PII in response to the request to unmask the maskedinformation and send unmasking event information to a PII footprintmodeling platform, which may cause the PII footprint modeling platformto: 1) log the request to unmask the masked information in an unmaskingevent log, 2) apply at least one machine learning model to the unmaskingevent log to identify one or more malicious events, and 3) trigger oneor more remediation actions based on identification of the one or moremalicious events.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIGS. 1A-1B depict an illustrative computing environment for PIIfootprint modeling in accordance with one or more example embodiments;

FIGS. 2A-2E depict an illustrative event sequence for PII footprintmodeling by a centralized computing platform in accordance with one ormore example embodiments;

FIGS. 3A-3E depict an illustrative event sequence for PII footprintmodeling by a user computing device in accordance with one or moreexample embodiments;

FIG. 4 depicts an illustrative method for PII footprint modeling by acentralized computing platform in accordance with one or more exampleembodiments;

FIG. 5 depicts an illustrative method for PII footprint modeling by auser computing device in accordance with one or more exampleembodiments; and

FIGS. 6-8 depict illustrative graphical user interfaces for PIIfootprint modeling in accordance with one or more example embodiments.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. In someinstances, other embodiments may be utilized, and structural andfunctional modifications may be made, without departing from the scopeof the present disclosure.

It is noted that various connections between elements are discussed inthe following description. It is noted that these connections aregeneral and, unless specified otherwise, may be direct or indirect,wired or wireless, and that the specification is not intended to belimiting in this respect.

As a brief introduction to the concepts described further herein, one ormore aspects of the disclosure describe masking PII, recording PIIunmasking events, and analyzing an unmasking event log to identifymalicious events. For example, PII may be visible to system users whomay have access to view customer and/or account information. Not allsystems users may need to view the same PII for each individual systeminteraction. Accordingly, masking selective portions of the PII maymitigate and/or prevent non-essential exposure of sensitive informationand may cause system users to click on each piece of PII to unmask itwhen access to such customer and/or account information is warranted.Unmasking of individual data elements by individual system users may belogged and tracked within systems and may enable the development ofinternal fraud risk models to detect potential attempts to compromisesensitive PII and/or other nefarious behaviors that may be indicative ofmalicious events.

More specifically, a risk exists that system users who have access toview customer and account information may be able to do so without alegitimate business justification and could enable malicious orotherwise deceptive events based on compromised sensitive PII. Eachunmasking event may create a footprint or unique way of identifying theindividual performing the action, and an event log may be created thatmay include an employer identifier, a date, a time, a customeridentifier, an indication of what data was unmasked, and/or otherinformation. By combining this event log information with other factors(e.g., a trailing customer claim, or other information), maliciousevents may be identified. In addition, system access levels may berefined by identifying what PII is typically needed to perform variousjob functions across an enterprise. Additionally or alternatively, PIInot needed for business purposes may be permanently masked. By notifyingassociates that unmasking PII may be logged and used to identify/detectmalicious events, such events may be deterred.

FIGS. 1A-1B depict an illustrative computing environment for PIIfootprint modeling in accordance with one or more example embodiments.Referring to FIG. 1A, computing environment 100 may include one or morecomputer systems. For example, computing environment 100 may include aPII footprint modeling platform 102, an information storage system 103,an enterprise user device 104, and an administrator user device 105.

As described further below, PII footprint modeling platform 102 may be acomputer system that includes one or more computing devices (e.g.,servers, server blades, or the like) and/or other computer components(e.g., processors, memories, communication interfaces) that mayimplement machine learning techniques to identify malicious events basedon PII unmasking event information.

Information storage system 103 may include one or more computing devices(e.g., servers, server blades, or the like) and/or other computercomponents (e.g., processors, memories, communication interfaces) thatmay be used to store PII (e.g., account information, contactinformation, credit information, birth dates, driver's licenseinformation, expiration dates, email information, phone numbers, onlinebanking identifiers, device identifiers, social security information,and/or other personal information) that may correspond to one or moreusers, accounts, and/or transactions. Although a single informationstorage system 103 is depicted in FIG. 1A, any number of informationstorage systems may be included on the network 101 without departingfrom the scope of the disclosure.

Enterprise user device 104 may be a laptop computer, desktop computer,mobile device, tablet, smartphone, or the like that may be used by anemployee of an enterprise organization (e.g., a financial institution,or the like). For example, the enterprise user device 104 may be used byone or more individuals to perform one or more tasks, process events,and/or perform other functions. In some instances, enterprise userdevice 104 may be configured to display one or more user interfaces(e.g., interfaces that masked and/or made visible PII, and/or otherinterfaces).

Administrator user device 105 may be a laptop computer, desktopcomputer, mobile device, tablet, smartphone, or the like that may beused by an employee or administrator of an enterprise organization(e.g., a financial institution, or the like). For example, theadministrator user device 105 may be used by one or more individuals toestablish and/or enforce enterprise access permissions (e.g., definingtypes of PII accessible by certain individuals, departments, executives,or other employee characteristics). In some instances, administratoruser device 105 may be configured to display one or more userinterfaces.

Computing environment 100 also may include one or more networks, whichmay interconnect PII footprint modeling platform 102, informationstorage system 103, enterprise user device 104, and administrator userdevice 105. For example, computing environment 100 may include a network101 (which may interconnect, e.g., PII footprint modeling platform 102,information storage system 103, enterprise user device 104, and/oradministrator user device 105).

In one or more arrangements, PII footprint modeling platform 102,information storage system 103, enterprise user device 104, and/oradministrator user device 105 may be any type of computing devicecapable of sending and/or receiving requests and processing the requestsaccordingly. For example, PII footprint modeling platform 102,information storage system 103, enterprise user device 104,administrator user device 105, and/or the other systems included incomputing environment 100 may, in some instances, be and/or includeserver computers, desktop computers, laptop computers, tablet computers,smart phones, or the like that may include one or more processors,memories, communication interfaces, storage devices, and/or othercomponents. As noted above, and as illustrated in greater detail below,any and/or all of PII footprint modeling platform 102, informationstorage system 103, enterprise user device 104, and/or administratoruser device 105, may, in some instances, be special-purpose computingdevices configured to perform specific functions.

Referring to FIG. 1B, PII footprint modeling platform 102 may includeone or more processors 111, memory 112, and communication interface 113.A data bus may interconnect processor 111, memory 112, and communicationinterface 113. Communication interface 113 may be a network interfaceconfigured to support communication between PII footprint modelingplatform 102 and one or more networks (e.g., network 101, or the like).Memory 112 may include one or more program modules having instructionsthat when executed by processor 111 cause PII footprint modelingplatform 102 to perform one or more functions described herein and/orone or more databases that may store and/or otherwise maintaininformation which may be used by such program modules and/or processor111. In some instances, the one or more program modules and/or databasesmay be stored by and/or maintained in different memory units of PIIfootprint modeling platform 102 and/or by different computing devicesthat may form and/or otherwise make up PII footprint modeling platform102. For example, memory 112 may have, host, store, and/or include PIIfootprint modeling module 112 a, PII footprint modeling database 112 b,and machine learning engine 112 c.

PII footprint modeling module 112 a may have instructions that directand/or cause PII footprint modeling platform 102 to execute advanced PIIfootprint modeling techniques. PII footprint modeling database 112 b maystore information used by PII footprint modeling module 112 a and/or PIIfootprint modeling platform 102 in application of advanced machinelearning techniques for PII footprint modeling, and/or in performingother functions. Machine learning engine 112 c may have instructionsthat direct and/or cause the PII footprint modeling platform 102 to set,define, and/or iteratively refine optimization rules and/or otherparameters used by the PII footprint modeling platform 102 and/or othersystems in computing environment 100.

FIGS. 2A-2E depict an illustrative event sequence for PII footprintmodeling by a centralized computing platform in accordance with one ormore example embodiments. Referring to FIG. 2A, at step 201, enterpriseuser device 104 may establish a connection with the PII footprintmodeling platform 102. For example, the enterprise user device 104 mayestablish a first wireless data connection with the PII footprintmodeling platform 102 to link the enterprise user device 104 to the PIIfootprint modeling platform 102 (e.g., in preparation for sending arequest for information). In some instances, the enterprise user device104 may identify whether or not a connection is already established withthe PII footprint modeling platform 102. If a connection is alreadyestablished with the PII footprint modeling platform 102, the enterpriseuser device 104 might not re-establish the connection. If a connectionis not yet established with the PII footprint modeling platform 102, theenterprise user device 104 may establish the first wireless dataconnection as described herein.

At step 202, enterprise user device 104 may send a request forinformation to the PII footprint modeling platform 102. For example, auser of the enterprise user device 104 (e.g., an employee of anenterprise organization such as a financial institution) may beprocessing a transaction, providing a service, providing information,and/or performing other functions, and may thus request information(e.g., account information, contact information, credit information,birth dates, driver's license information, expiration dates, emailinformation, phone numbers, online banking identifiers, deviceidentifiers, social security information, and/or other personalinformation) from the PII footprint modeling platform 102. In someinstances, the enterprise user device 104 may send the informationrequest to the PII footprint modeling platform 102 while the firstwireless data connection is established.

At step 203, the PII footprint modeling platform 102 may receive theinformation request from the enterprise user device 104. For example,the PII footprint modeling platform 102 may receive the PII via thecommunication interface 113 and while the first wireless data connectionis established.

At step 204, the PII footprint modeling platform 102 may establish aconnection with the information storage system 103. For example, the PIIfootprint modeling platform 102 may establish a second wireless dataconnection with the information storage system 103 to link the PIIfootprint modeling platform 102 to the information storage system 103(e.g., in preparation for requesting source data to satisfy theinformation request). In some instances, the PII footprint modelingplatform 102 may identify whether or not a connection is alreadyestablished with the information storage system 103. If the PIIfootprint modeling platform 102 identifies that a connection is alreadyestablished with the information storage system 103, the PII footprintmodeling platform 102 might not re-establish the connection. If the PIIfootprint modeling platform 102 identifies that a connection is not yetestablished with the information storage system 103, the PII footprintmodeling platform 102 may establish the second wireless data connectionas described herein.

At step 205, the PII footprint modeling platform 102 may request sourcedata from the information storage system 103. For example, the PIIfootprint modeling platform 102 may request account information, contactinformation, and/or other personal information from the informationstorage system 103, which may, in some instances, include PII such asaccount information, contact information, credit information, birthdates, driver's license information, expiration dates, emailinformation, phone numbers, online banking identifiers, deviceidentifiers, social security information, and/or other personalinformation. In some instances, the PII footprint modeling platform 102may send the source data request to the information storage system 103via the communication interface 113 and while the second wireless dataconnection is established.

Referring to FIG. 2B, at step 206, the PII footprint modeling platform102 may collect the source data from the information storage system 103.In some instances, in doing so, the PII footprint modeling platform 102may collect PII that comprises the source data. For example, the PIIfootprint modeling platform 102 may collect the source data from theinformation storage system 103 while the second wireless data connectionis established.

At step 207, the PII footprint modeling platform 102 may identify andmask PII collected at step 206. For example, the PII footprint modelingplatform 102 may identify information that need not be exposed at theenterprise user device 104 (e.g., sensitive information such as accountnumbers, social security numbers, and/or other information), and maymask (e.g., conceal, scramble, obfuscate, or otherwise remove) this PIIfor display at the enterprise user device 104. In some instances, thePII footprint modeling platform 102 may selectively mask the PII basedon the type of content that is included in the PII, such as an IPaddress, location, job title, department, experience level, and/or otherinformation corresponding to a user of the enterprise user device 104and/or the enterprise user device 104 itself (e.g., based on anestablished enterprise data management policy). For example, the PIIfootprint modeling platform 102 may identify that the user of theenterprise user device 104 and/or the enterprise user device 104 itselfshould not have access to the PII, and thus may mask the PII.

At step 208, the PII footprint modeling platform 102 may send aninformation response to the enterprise user device 104, which mayinclude the PII in a masked form (or otherwise not include the PII). Insome instances, the PII footprint modeling platform 102 may send theinformation response to the enterprise user device 104 via thecommunication interface and while the first wireless data connection isestablished. In some instances, along with the information response, thePII footprint modeling platform 102 may send one or more commandsdirecting the enterprise user device 104 to display the informationresponse.

At step 209, the enterprise user device 104 may receive the informationresponse sent at step 208. In some instances, the enterprise user device104 may also receive the one or more commands directing the enterpriseuser device 104 to display the information response. In some instances,the enterprise user device 104 may receive the information responsewhile the first wireless data connection is established.

At step 210, based on or in response to the one or more commandsdirecting the enterprise user device 104 to display the informationresponse, the enterprise user device 104 may display the informationresponse. For example, the enterprise user device 104 may display agraphical user interface similar to graphical user interface 605, whichis shown in FIG. 6 , and which shows certain information related to acustomer, while masking other information that need not be exposed tothe enterprise user.

Referring to FIG. 2C, at step 211, the enterprise user device 104 maysend a request to unmask masked data displayed at the enterprise userdevice 104. For example, the user of the enterprise user device 104 mayselect or otherwise indicate that access to the masked data is needed toperform a particular task or provide a particular service. In theseinstances, the enterprise user device 104 may send the unmasking requestto the PII footprint modeling platform 102 while the first wireless dataconnection is established.

At step 212, the PII footprint modeling platform 102 may receive theunmasking request sent at step 211. For example, the PII footprintmodeling platform 102 may receive the unmasking request via thecommunication interface 113 and while the first wireless data connectionis established.

At step 213, the PII footprint modeling platform 102 may send an updatedinformation response to the enterprise user device 104 in which the PII,related to the unmasking request, is unmasked. For example, the PIIfootprint modeling platform 102 may unmask the PII by sending thecorresponding source data (e.g., received at step 206), which mightpreviously not have been sent in the information response at step 208.Additionally or alternatively, the PII footprint modeling platform 102may unmask the PII by modifying the masked information, included in theinformation response sent at step 208, to expose the PII. In someinstances, the PII footprint modeling platform 102 may unmask a portionof the PII without exposing all of the masked PII.

In some instances, the PII footprint modeling platform 102 may identifybased on the enterprise data management policy, whether or not to unmaskthe PII. If the PII footprint modeling platform 102 identifies that theuser of the enterprise user device 104 or the enterprise user device 104itself is not authorized to access the PII (based on the enterprise datamanagement policy), the PII footprint modeling platform 102 might notunmask the PII, whereas the PII footprint modeling platform 102 mayunmask the PII in response to identifying that the user of theenterprise user device is authorized to access the PII.

In some instances, the PII footprint modeling platform 102 may send theupdated information response to the enterprise user device 104 via thecommunication interface and while the first wireless data connection isestablished. In some instances, the PII footprint modeling platform 102may also send one or more commands directing the enterprise user device104 to display the updated information response.

At step 214, the enterprise user device 104 may receive the updatedinformation response sent at step 213. In some instances, the enterpriseuser device 104 may receive the updated information response while thefirst wireless data connection is established. In some instances, theenterprise user device 104 may also receive the one or more commandsdirecting the enterprise user device 104 to display the updatedinformation response.

At step 215, based on or in response to the one or more commandsdirecting the enterprise user device 104 to display the updatedinformation response, the enterprise user device 104 may display theupdated information response. For example, the enterprise user device104 may display a graphical user interface similar to graphical userinterface 705, which is shown in FIG. 7 , and which exposes the PIIpreviously masked (e.g., as shown in the graphical user interface 605).

At step 216, the PII footprint modeling platform 102 may log informationcorresponding to the unmasking request. For example, the PII footprintmodeling platform 102 may log and/or otherwise record a deviceidentifier of the enterprise user device 104, a user identifier of theuser of the enterprise user device 104 (e.g., an employee identifier), acustomer identifier, a date, a time, the PII for which unmasking wasrequested, geolocation information, IP addresses, whether the enterpriseuser device 104 is operating on a physical or remote connection, anidentifier corresponding to the information storage system 103, and/orother information. In doing so, the PII footprint modeling platform 102may establish a PII event log that may be subsequently analyzed toidentify insights and/or malicious events (as described further below).

Referring to FIG. 2D, at step 217, the PII footprint modeling platform102 may input the PII event log into a machine learning model toidentify potential malicious events. For example, the PII footprintmodeling platform 102 may identify whether or not informationcorresponding to the unmasking request indicates that the unmaskingrequest is an outlier and/or unusual request. For example, the PIIfootprint modeling platform 102 may maintain a listing of PII that mayrelate to services and/or functions provided by various employees basedon job roles, departments, experience levels, geographic regions, and/orother employee characteristics. In these instances, the PII footprintmodeling platform 102 may compare the requested PII to the list ofrelated PII to identify whether or not the requested PII relates to theservices and/or functions provided by the user of the enterprise userdevice 104. If the PII footprint modeling platform 102 identifies thatthe requested PII does not relate to the services and/or functions ofthe enterprise user device 104, the PII footprint modeling platform 102may flag the unmasking request as a potentially malicious event. Forexample, if a request to unmask a social security number is received,and social security numbers have no relation to the functions of theuser of the enterprise user device 104, a malicious event may bedetected. If the PII footprint modeling platform 102 identifies that therequested PII does relate to the services and/or functions of theenterprise user device 104, the PII footprint modeling platform 102 may,in some instances, further analyze the PII event log (e.g., as describedbelow).

For example, the PII footprint modeling platform 102 may identify afrequency with which employees with various job titles, experiencelevels, departments, and/or other characteristics access the PII forwhich unmasking was requested. For example, the PII footprint modelingplatform 102 may identify, using the PII event log, a number of timesthat the enterprise user device 104 (and/or a user of the enterpriseuser device 104) has requested unmasking of the PII within apredetermined period (e.g., a day, week, month, or other time period).In this example, the PII footprint modeling platform 102 may comparethis number of unmasking requests to unmasking requests received for thePII from other enterprise user devices and/or employees. In doing so,the PII footprint modeling platform 102 may identify whether theenterprise user device 104 is requesting the PII within one or morestandard deviations of a median or mean number of unmasking requestsreceived from similarly situated employees (e.g., similar job title,department, experience level, geographic region and/or othercharacteristics). For example, the PII footprint modeling platform 102may identify that the enterprise user device 104 has requested unmaskingof social security numbers 500 times within the last 24 hours, whereasother similarly situated employees have only requested 5 social securitynumbers within the last week. If the enterprise user device 104identifies that the number of unmasking requests for the PII receivedfrom the enterprise user device 104 falls outside of a first standarddeviation of a median or mean number of unmasking requests for the PII,the PII footprint modeling platform 102 may identify a malicious event.For example, the PII footprint modeling platform 102 may apply thefollowing model: if

${\sqrt{\frac{\sum\left( {x_{i} - \mu} \right)^{2}}{N}} > 1},$then malicious event and if

${\sqrt{\frac{\sum\left( {x_{i} - \mu} \right)^{2}}{N}} \leq 1},$no malicious event. In these instances, N may represent a number ofemployees (e.g., similarly situated employees), μ may represent anaverage number of attempts (e.g., by the similarly situated employees)to access a particular type of PII, and x_(i) may represent the numberof attempts to access the particular type of PII by the user of theenterprise user device 104. In these instances, the values of μcorresponding to various types of PII may be established based on thePII event log, which may include a record of requests to unmask varioustypes of PII by various employees.

Additionally or alternatively, the PII footprint modeling platform 102may compare the requested PII to a service being performed to identifywhether or not a malicious event occurred. For example, if theenterprise user device 104 is performing a balance inquiry, unmasking ofdriver's license information might not be necessary. Thus, an attempt tounmask the driver's license information in this context may indicate amalicious event. As a result, the PII footprint modeling platform 102may generate insight information indicating whether or not the unmaskingrequest corresponds to a malicious event.

At step 218, the PII footprint modeling platform 102 may establish aconnection with the administrator user device 105. For example, the PIIfootprint modeling platform 102 may establish a third wireless dataconnection to link the PII footprint modeling platform 102 to theadministrator user device 105 (e.g., in preparation for sending insightinformation). In some instances, the PII footprint modeling platform 102may identify whether or not a connection is already established with theadministrator user device 105. If a connection is already establishedwith the administrator user device 105, the PII footprint modelingplatform 102 might not re-establish the connection. If a connection isnot yet established with the administrator user device 105, the PIIfootprint modeling platform 102 may establish the third wireless dataconnection as described herein.

At step 219, the PII footprint modeling platform 102 may send theinsight information to the administrator user device 105. For example,the PII footprint modeling platform 102 may send the insight informationto the administrator user device 105 via the communication interface 113and while the third wireless data connection is established. In someinstances, the PII footprint modeling platform 102 may also send one ormore commands directing the administrator user device 105 to display theinsight information.

At step 220, the administrator user device 105 may receive the insightinformation sent at step 219. For example, the administrator user device105 may receive the insight information while the third wireless dataconnection is established. In some instances, the administrator userdevice 105 may also receive the one or more commands directing theadministrator user device 105 to display the insight information.

At step 221, based on or in response to the one or more commandsdirecting the administrator user device 105 to display the insightinformation, the administrator user device 105 may display the insightinformation. For example, the administrator user device 105 may displaya graphical user interface similar to graphical user interface 805,which is shown in FIG. 8 , and which indicates that a potentialmalicious event has been detected.

Referring to FIG. 2E, at step 222, the PII footprint modeling platform102 may generate one or more remediation actions. For example, the PIIfootprint modeling platform 102 may identify an enterprise datamanagement policy update (e.g., indicating that access permissions forthe enterprise user device 104 and/or the user of the enterprise userdevice 104 should be revoked, temporarily suspended, and/or otherwisemodified). In some instances, the one or more remediation actions may begenerated based on the standard deviation identified at step 217. Forexample, if the standard deviation is identified between 1 and 2, thePII footprint modeling platform 102 may temporarily suspend networkaccess to the enterprise user device 104, whereas if the standarddeviation is identified to be 2 or more, an enterprise data managementpolicy may be modified so as to permanently prevent the enterprise userdevice 104 from accessing the PII and/or permanently suspend networkaccess.

At step 223, the PII footprint modeling platform 102 may implement theone or more remediation actions. For example, the PII footprint modelingplatform 102 may update the enterprise data management policy based onthe identified enterprise data management policy update. By performingsuch remediation actions, in addition or as an alternative toidentifying malicious events on the fly, the PII footprint modelingplatform 102 may prevent malicious events before they occur. Forexample, once the enterprise user device 104 has been flagged asattempting to perform malicious events, network access may be revokedfor that device in anticipation of future attempts to perform maliciousevents. Additionally or alternatively, retroactive identification may beperformed by the PII footprint modeling platform 102 to identify otherPII that has been previously accessed by the enterprise user device 104(and thus may be compromised). In these instances, the PII footprintmodeling platform 102 may notify customers corresponding to theretroactively identified PII of a potential malicious event and/or thatthe corresponding PII may be compromised.

FIGS. 3A-3E depict an illustrative event sequence for PII footprintmodeling by a user device in accordance with one or more exampleembodiments. In some instances, the event sequence depicted in FIGS.3A-3E may be performed in addition or as an alternative to the eventsequence described in FIGS. 2A-2E. For example, in some instances, thePII footprint modeling platform 102 may cause a plug-in or othersoftware to be installed at the enterprise user device 104 which mayenable the enterprise user device 104 to perform one or more of thefunctions, described above with regard to FIGS. 2A-2E, otherwiseperformed by the PII footprint modeling platform 102. As a result of theplug-in or other software, the enterprise user device 104 may performone or more of the functions described below. Referring to FIG. 3A, atstep 301, enterprise user device 104 may receive a request forinformation (e.g., similar to the request received by the PII footprintmodeling platform 102 at step 203). For example, a user of theenterprise user device 104 (e.g., an employee of an enterpriseorganization such as a financial institution) may be processing atransaction, providing a service, providing information, and/orperforming other functions, and may thus request information (e.g.,account information, contact information, credit information, birthdates, driver's license information, expiration dates, emailinformation, phone numbers, online banking identifiers, deviceidentifiers, social security information, and/or other personalinformation) from the enterprise user device 104.

At step 302, enterprise user device 104 may establish a connection withthe information storage system 103. For example, the enterprise userdevice 104 may establish a first wireless data connection with theinformation storage system 103 to link the enterprise user device 104 tothe information storage system 103 (e.g., in preparation for collectingsource data). In some instances, the enterprise user device 104 mayidentify whether or not a connection is already established with theinformation storage system 103. If a connection is already establishedwith the information storage system 103, the enterprise user device 104might not re-establish the connection. If a connection is not yetestablished with the information storage system 103, the enterprise userdevice 104 may establish the first wireless data connection as describedherein.

At step 303, the enterprise user device 104 may monitor the informationstorage system 103 for source data corresponding to the informationrequest. For example, the enterprise user device 104 may request accountinformation, contact information, and/or other personal information fromthe information storage system 103, which may, in some instances,include PII such as account information, contact information, creditinformation, birth dates, driver's license information, expirationdates, email information, phone numbers, online banking identifiers,device identifiers, social security information, and/or other personalinformation. In some instances, the enterprise user device 104 mayrequest the source data while the first wireless data connection isestablished. In some instances, actions performed by the enterprise userdevice 104 at step 303 may be similar to the actions performed by thePII footprint modeling platform 102 at step 205.

At step 304, the enterprise user device 104 may collect the source datafrom the information storage system 103. In some instances, in doing so,the enterprise user device 104 may collect PII that comprises the sourcedata. For example, the enterprise user device 104 may collect the sourcedata from the information storage system 103 while the first wirelessdata connection is established. In some instances, actions performed bythe enterprise user device 104 at step 304 may be similar to the actionsperformed by the PII footprint modeling platform 102 at step 206.

Referring to FIG. 3B, at step 305, the enterprise user device 104 mayidentify and mask PII collected at step 304. For example, the enterpriseuser device 104 may identify information that need not be exposed (e.g.,sensitive information such as account numbers, social security numbers,and/or other information), and may mask (e.g., conceal, scramble,obfuscate, or otherwise remove) this PII for display. In some instances,the enterprise user device 104 may mask the PII based on the type ofcontent that is included in the PII, such as an IP address, location,job title, department, experience level, and/or other informationcorresponding to a user of the enterprise user device 104 and/or theenterprise user device 104 itself (e.g., based on an establishedenterprise data management policy). For example, the enterprise userdevice 104 may identify that the user of the enterprise user device 104and/or the enterprise user device 104 itself should not have access tothe PII, and thus may mask the PII. In some instances, actions performedby the enterprise user device 104 at step 305 may be similar to thoseperformed by the PII footprint modeling platform 102 at step 207.

At step 306, the enterprise user device 104 may generate an informationresponse, which may include the PII in a masked form (or otherwise notinclude the PII). In some instances, the enterprise user device 104 maydisplay the information response. For example, the enterprise userdevice 104 may display a graphical user interface similar to graphicaluser interface 605, which is shown in FIG. 6 , and which shows certaininformation related to a customer, while masking other information thatneed not be exposed to the enterprise user. In some instances, actionsperformed at step 306 may be similar to those described above withregard to steps 208-210.

At step 307, the enterprise user device 104 may receive a request tounmask masked data displayed at the enterprise user device 104. Forexample, the user of the enterprise user device 104 may select orotherwise indicate that access to the masked data is needed to perform aparticular task or provide a particular service. In some instances,actions performed at step 306 may be similar to those performed by thePII footprint modeling platform 102 at steps 211-212.

At step 308, the enterprise user device 104 may generate an updatedinformation response in which the PII, related to the unmasking request,is unmasked. For example, the enterprise user device 104 may unmask thePII by sending the corresponding source data (e.g., received at step304), which might previously not have been displayed at step 306.Additionally or alternatively, the enterprise user device 104 may unmaskthe PII by modifying the masked information, included in the informationdisplayed at step 306, to expose the PII. In some instances, theenterprise user device 104 may unmask a portion of the PII withoutexposing all of the masked PII.

In some instances, the enterprise user device 104 may identify, based onthe enterprise data management policy, whether or not to unmask the PII.If the enterprise user device 104 identifies that the user of theenterprise user device 104 or the enterprise user device 104 itself isnot authorized to access the PII (e.g., based on the enterprise datamanagement policy), the enterprise user device 104 might not unmask thePII, whereas the enterprise user device 104 may unmask the PII inresponse to identifying that the user of the enterprise user device isauthorized to access the PII.

If the PII is to be unmasked, the enterprise user device 104 may displaythe updated information response. For example, the enterprise userdevice 104 may display a graphical user interface similar to graphicaluser interface 705, which is shown in FIG. 7 , and which exposes the PIIpreviously masked (e.g., as shown in the graphical user interface 605).In some instances, actions performed by the enterprise user device 104at step 307 may be similar to those performed at steps 213-215.

Referring to FIG. 3C, at step 309, the enterprise user device 104 mayestablish a connection with the PII footprint modeling platform 102. Forexample, the enterprise user device 104 may establish a second wirelessdata connection with the PII footprint modeling platform 102 to link theenterprise user device 104 to the PII footprint modeling platform 102(e.g., in preparation for sending unmasking event information). In someinstances, the enterprise user device 104 may identify whether aconnection is already established with the PII footprint modelingplatform 102. If a connection is already established with the PIIfootprint modeling platform 102, the enterprise user device 104 mightnot re-establish the connection. If a connection is not yet establishedwith the PII footprint modeling platform 102, the enterprise user device104 may establish a second wireless data connection as described herein.

At step 310, the enterprise user device 104 may send unmasking eventinformation, corresponding to the unmasking request, to the PIIfootprint modeling platform 102. For example, the enterprise user device104 may send a device identifier of the enterprise user device 104, auser identifier of the user of the enterprise user device 104 (e.g., anemployee identifier), a customer identifier, a date, a time, the PII forwhich unmasking was requested, geolocation information, IP addresses,whether the enterprise user device 104 is operating on a physical orremote connection, an identifier corresponding to the informationstorage system 103, and/or other information. In some instances, theenterprise user device 104 may send the unmasking event information tothe PII footprint modeling platform 102 while the second wireless dataconnection is established.

At step 311, the PII footprint modeling platform 102 may receive theunmasking event information sent at step 310. For example, the PIIfootprint modeling platform 102 may receive the unmasking eventinformation via the communication interface 113 and while the secondwireless data connection is established.

At step 312, the PII footprint modeling platform 102 may log theunmasking event information received at step 311. For example, the PIIfootprint modeling platform 102 may log a device identifier of theenterprise user device 104, a user identifier of the user of theenterprise user device 104 (e.g., an employee identifier), a customeridentifier, a date, a time, the PII for which unmasking was requested,geolocation information, IP addresses, whether the enterprise userdevice 104 is operating on a physical or remote connection, anidentifier corresponding to the information storage system 103, and/orother information. In doing so, the PII footprint modeling platform 102may establish a PII event log that may subsequently be analyzed toidentify insights and/or malicious events. Actions performed at steps310-312 may be similar to those described above with regard to step 216.

At step 313, the PII footprint modeling platform 102 may input the PIIevent log into a machine learning model to identify potential maliciousevents. For example, the PII footprint modeling platform 102 mayidentify whether or not information corresponding to the unmaskingrequest indicates that the unmasking request is an outlier and/orunusual request. For example, the PII footprint modeling platform 102may maintain a listing of PII that may relate to services and/orfunctions provided by various employees based on job roles, departments,experience levels, geographic region, and/or other employeecharacteristics. In these instances, the PII footprint modeling platform102 may compare the requested PII to the list of related PII to identifywhether or not the requested PII relates to the services and/orfunctions provided by the user of the enterprise user device 104. If thePII footprint modeling platform 102 identifies that the requested PIIdoes not relate to the services and/or functions of the enterprise userdevice 104, the PII footprint modeling platform 102 may flag theunmasking request as a potentially malicious event. For example, if arequest to unmask a social security number is received, and socialsecurity numbers have no relation to the functions of the user of theenterprise user device 104, a malicious event may be detected. If thePII footprint modeling platform 102 identifies that the requested PIIdoes relate to the services and/or functions of the enterprise userdevice 104, the PII footprint modeling platform 102 may further analyzethe PII event log (e.g., as described below).

For example, the PII footprint modeling platform 102 may identify afrequency with which employees with various job titles, experiencelevels, departments, and/or other characteristics access the PII forwhich unmasking was requested. For example, the PII footprint modelingplatform 102 may identify, using the PII event log, a number of timesthat the enterprise user device 104 (and/or a user of the enterpriseuser device 104) has requested unmasking of the PII within apredetermined period (e.g., a day, week, month, or other time period).In this example, the PII footprint modeling platform 102 may comparethis number of unmasking requests to unmasking requests received for thePII from other enterprise user devices and/or employees. In doing so,the PII footprint modeling platform 102 may identify whether theenterprise user device 104 is requesting the PII within one or morestandard deviations of a median or mean number of unmasking requestsreceived from similarly situated employees (e.g., similar job title,department, experience level, geographic region and/or othercharacteristics). For example, the PII footprint modeling platform 102may identify that the enterprise user device 104 has requested unmaskingof social security numbers 500 times within the last 24 hours, whereasother similarly situated employees have only requested 5 social securitynumbers within the last week. If the enterprise user device 104identifies that the number of unmasking requests for the PII receivedfrom the enterprise user device 104 falls outside of a first standarddeviation of a median or mean number of unmasking requests for the PII,the PII footprint modeling platform 102 may identify a malicious event.For example, the PII footprint modeling platform 102 may apply thefollowing model: if

${\sqrt{\frac{\sum\left( {x_{i} - \mu} \right)^{2}}{N}} > 1},$then malicious event and if

${\sqrt{\frac{\sum\left( {x_{i} - \mu} \right)^{2}}{N}} \leq 1},$no malicious event. In these instances, N may represent a number ofemployees (e.g., similarly situated employees), μ may represent anaverage number of attempts (e.g., by the similarly situated employees)to access a particular type of PII, and x_(i) may represent the numberof attempts to access the particular type of PII by the user of theenterprise user device 104. In these instances, the values of μcorresponding to various types of PII may be established based on thePII event log, which may include a record of requests to unmask varioustypes of PII by various employees.

Additionally or alternatively, the PII footprint modeling platform 102may compare the requested PII to a service being performed to identifywhether or not a malicious event occurred. For example, if theenterprise user device 104 is performing a balance inquiry, unmasking ofdriver's license information might not be necessary. Thus, an attempt tounmask the driver's license information in this context may indicate amalicious event. As a result, the PII footprint modeling platform 102may generate insight information indicating whether or not the unmaskingrequest corresponds to a malicious event. Actions performed at step 313may be similar to those described above with regard to step 217.

Referring to FIG. 3D, at step 314, the PII footprint modeling platform102 may establish a connection with administrator user device 105. Forexample, the PII footprint modeling platform 102 may establish a thirdwireless data connection with the administrator user device 105 (e.g.,in preparation for sending insight information to the administrator userdevice 105). In some instances, the PII footprint modeling platform 102may identify whether or not a connection is already established with theadministrator user device 105. If a connection is already establishedwith the administrator user device 105, the PII footprint modelingplatform 102 might not re-establish the connection. If a connection isnot yet established with the administrator user device 105, the PIIfootprint modeling platform 102 may establish the third wireless dataconnection as described herein.

At step 315, the PII footprint modeling platform 102 may send theinsight information to the administrator user device 105. For example,the PII footprint modeling platform 102 may send the insight informationto the administrator user device 105 via the communication interface 113and while the third wireless data connection is established. In someinstances, the PII footprint modeling platform 102 may also send one ormore commands directing the administrator user device 105 to display theinsight information. Actions performed at step 315 may be similar tothose described above with regard to step 219.

At step 316, the administrator user device 105 may receive the insightinformation sent at step 315. For example, the administrator user device105 may receive the insight information while the third wireless dataconnection is established. In some instances, the administrator userdevice 105 may also receive the one or more commands directing theadministrator user device 105 to display the insight information.Actions performed at step 316 may be similar to those described abovewith regard to step 220.

At step 317, based on or in response to the one or more commandsdirecting the administrator user device 105 to display the insightinformation, the administrator user device 105 may display the insightinformation. For example, the administrator user device 105 may displaya graphical user interface similar to graphical user interface 805,which is shown in FIG. 8 , and which indicates that a potentialmalicious event has been detected. Actions performed at step 317 may besimilar to those described above with regard to step 221.

At step 318, the PII footprint modeling platform 102 may generate one ormore remediation actions. For example, the PII footprint modelingplatform 102 may identify an enterprise data management policy update(e.g., indicating that access permissions for the enterprise user device104 and/or the user of the enterprise user device 104 should be revoked,temporarily suspended, and/or otherwise modified). In some instances,the one or more remediation actions may be generated based on thestandard deviation identified at step 313. For example, if the standarddeviation is identified between 1 and 2, the PII footprint modelingplatform 102 may temporarily suspend network access to the enterpriseuser device 104, whereas if the standard deviation is identified to be 2or more, an enterprise data management policy may be modified so as topermanently prevent the enterprise user device 104 from accessing thePII and/or permanently suspend network access. Actions performed at step318 may be similar to those described above with regard to step 222.

Referring to FIG. 3E, at step 319, the PII footprint modeling platform102 may implement the one or more remediation actions. For example, thePII footprint modeling platform 102 may update the enterprise datamanagement policy based on the identified enterprise data managementpolicy update. By performing such remediation actions, in addition or asan alternative to identifying malicious events on the fly, the PIIfootprint modeling platform 102 may prevent malicious events before theyoccur. For example, once the enterprise user device 104 has been flaggedas attempting to perform malicious events, network access may be revokedfor that device in anticipation of future attempts to perform maliciousevents. Additionally or alternatively, retroactive identification may beperformed by the PII footprint modeling platform 102 to identify otherPII that has been previously accessed by the enterprise user device 104(and thus may be compromised). Actions performed at step 319 may besimilar to those described above with regard to step 223.

FIG. 4 depicts an illustrative method for PII footprint modeling by acentralized computing platform in accordance with one or more exampleembodiments. Referring to FIG. 4 , at step 405, a computing platformhaving at least one processor, a communication interface, and memory mayreceive an information request. At step 410, the computing platform maycollect source data to respond to the information request. At step 415,the computing platform may mask PII included in the source data. At step420, the computing platform may send an information request in which thePII is masked. At step 425, the computing platform may identify whetheror not an unmasking request is received. If an unmasking request is notreceived, the method may end. If an unmasking request is received, thecomputing platform may proceed to step 430.

At step 430, the computing platform may send an updated informationresponse in which the PII is now exposed. At step 435, the computingplatform may log unmasking information. At step 440, the computingplatform may generate insight information using a machine learning modeland based on logged unmasking information. At step 445, the computingplatform may send insight information to an administrator user device105 for display. At step 450, the computing platform may generate one ormore remediation actions based on the insight information. At step 455,the computing platform may implement the one or more remediationactions.

FIG. 5 depicts an illustrative method for PII footprint modeling by auser device in accordance with one or more example embodiments.Referring to FIG. 5 , at step 505, a user device having at least oneprocessor, a communication interface, and memory may receive aninformation request. At step 510, the user device may collect sourcedata to respond to the information request. At step 515, the user devicemay mask PII included in the source data. At step 520, the user devicemay display an information response that does not expose the PII. Atstep 525, the user device may identify whether or not an unmaskingrequest is received. If an unmasking request is not received, the methodmay end. If an unmasking request is received, the user device mayproceed to step 530.

At step 530, the user device may display an updated information responsethat exposes the previously masked PII. At step 535, the user device maysend unmasking information to a centralized information logging platformfor analysis.

One or more aspects of the disclosure may be embodied in computer-usabledata or computer-executable instructions, such as in one or more programmodules, executed by one or more computers or other devices to performthe operations described herein. Generally, program modules includeroutines, programs, objects, components, data structures, and the likethat perform particular tasks or implement particular abstract datatypes when executed by one or more processors in a computer or otherdata processing device. The computer-executable instructions may bestored as computer-readable instructions on a computer-readable mediumsuch as a hard disk, optical disk, removable storage media, solid-statememory, RAM, and the like. The functionality of the program modules maybe combined or distributed as desired in various embodiments. Inaddition, the functionality may be embodied in whole or in part infirmware or hardware equivalents, such as integrated circuits,application-specific integrated circuits (ASICs), field programmablegate arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope of computerexecutable instructions and computer-usable data described herein.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, an entirely firmware embodiment, or an embodiment combiningsoftware, hardware, and firmware aspects in any combination. Inaddition, various signals representing data or events as describedherein may be transferred between a source and a destination in the formof light or electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, or wireless transmissionmedia (e.g., air or space). In general, the one or morecomputer-readable media may be and/or include one or more non-transitorycomputer-readable media.

As described herein, the various methods and acts may be operativeacross one or more computing servers and one or more networks. Thefunctionality may be distributed in any manner, or may be located in asingle computing device (e.g., a server, a client computer, and thelike). For example, in alternative embodiments, one or more of thecomputing platforms discussed above may be combined into a singlecomputing platform, and the various functions of each computing platformmay be performed by the single computing platform. In such arrangements,any and/or all of the above-discussed communications between computingplatforms may correspond to data being accessed, moved, modified,updated, and/or otherwise used by the single computing platform.Additionally or alternatively, one or more of the computing platformsdiscussed above may be implemented in one or more virtual machines thatare provided by one or more physical computing devices. In sucharrangements, the various functions of each computing platform may beperformed by the one or more virtual machines, and any and/or all of theabove-discussed communications between computing platforms maycorrespond to data being accessed, moved, modified, updated, and/orotherwise used by the one or more virtual machines.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one or more of the steps depicted in theillustrative figures may be performed in other than the recited order,and one or more depicted steps may be optional in accordance withaspects of the disclosure.

What is claimed is:
 1. A computing platform comprising: at least oneprocessor; a communication interface communicatively coupled to the atleast one processor; and memory storing computer-readable instructionsthat, when executed by the at least one processor, cause the computingplatform to: receive a request to unmask masked information; unmask themasked information, resulting in unmasked PII; log the request to unmaskthe masked information in an unmasking event log; send the unmasked PIIin response to the request to unmask the masked information; apply atleast one machine learning model to the unmasking event log to identifyone or more malicious events; and trigger one or more remediationactions based on identification of the one or more malicious events,wherein identifying the one or more malicious events comprises:identifying that a number of requests for the PII by a user computingdevice exceeds a median number of requests for the PII by apredetermined number of standard deviations, wherein the requests areinitiated by other user computing devices corresponding to usersassociated with a particular job title and wherein a user of the usercomputing device may also be associated with the particular job title.2. The computing platform of claim 1, wherein masking the PII comprisesmasking, based on one or more of: an IP address, a location, or a jobtitle corresponding to a user of the user computing device or the usercomputing device.
 3. The computing platform of claim 1, whereinunmasking the PII comprises sending the corresponding source data thatincludes the PII.
 4. The computing platform of claim 1, whereinunmasking the PII comprises modifying the masked information to exposethe PII.
 5. The computing platform of claim 1, wherein the memory storesadditional computer-readable instructions that, when executed by the atleast one processor, cause the computing platform to: identify, based ona network policy, whether or not the request to unmask the PII should befulfilled, wherein unmasking the PII is in response to identifying thatthe request to unmask the PII should be fulfilled.
 6. The computingplatform of claim 5, wherein triggering the one or more remediationactions includes modifying the network policy.
 7. The computing platformof claim 6, wherein modifying the network policy comprises revokingaccess permissions for the user computing device.
 8. The computingplatform of claim 7, wherein the access permissions for the usercomputing device are revoked for a temporary period of time.
 9. Thecomputing platform of claim 1, wherein identifying the one or moremalicious events comprises: comparing the PII to information thatrelates to a job title of the user of the user computing device; basedon identifying a match between the PII and the information that relatesto the job title of the user of the user computing device, verifying anon-malicious event; and based on identifying that the PII does notmatch the information that relates to the job title of the user of theuser computing device, identifying the one or more malicious events. 10.The computing platform of claim 1, wherein the memory stores additionalcomputer-readable instructions that, when executed by the at least oneprocessor, cause the computing platform to: receive, from the usercomputing device, a request to access the information that includes PIIcorresponding to the unmasked PII; retrieve source data comprising thePII; mask, within the source data and based on at least one enterprisedata management policy, the PII, resulting in the masked information;and send the masked information in response to the request to access theinformation.
 11. A method comprising: at a computing platform comprisingat least one processor, a communication interface, and memory: receivinga request to unmask masked information; unmasking the maskedinformation, resulting in unmasked PII; logging the request to unmaskthe masked information in an unmasking event log; sending the unmaskedPII in response to the request to unmask the masked information;applying at least one machine learning model to the unmasking event logto identify one or more malicious events; and triggering one or moreremediation actions based on identification of the one or more maliciousevents, wherein identifying the one or more malicious events comprises:identifying that a number of requests for the PII by a user computingdevice exceeds a median number of requests for the PII by apredetermined number of standard deviations, wherein the requests areinitiated by other user computing devices corresponding to usersassociated with a particular job title and wherein a user of the usercomputing device may also be associated with the particular job title.12. The method of claim 11, wherein masking the PII comprises masking,based on one or more of: an IP address, a location, or a job titlecorresponding to a user of the user computing device or the usercomputing device.
 13. The method of claim 11, wherein unmasking the PIIcomprises sending the corresponding source data that includes the PII.14. The method of claim 11, wherein unmasking the PII comprisesmodifying the masked information to expose the PII.
 15. The method ofclaim 11, further comprising: identifying, based on a network policy,whether or not the request to unmask the PII should be fulfilled,wherein unmasking the PII is in response to identifying that the requestto unmask the PII should be fulfilled.
 16. The method of claim 15,wherein triggering the one or more remediation actions includesmodifying the network policy.
 17. The method of claim 16, whereinmodifying the network policy comprises revoking access permissions forthe user computing device.
 18. The method of claim 17, wherein theaccess permissions for the user computing device are revoked for atemporary period of time.
 19. The method of claim 11, whereinidentifying the one or more malicious events comprises: comparing thePII to information that relates to a job title of the user of the usercomputing device; based on identifying a match between the PII and theinformation that relates to the job title of the user of the usercomputing device, verifying a non-malicious event; and based onidentifying that the PII does not match the information that relates tothe job title of the user of the user computing device, identifying theone or more malicious events.
 20. One or more non-transitorycomputer-readable media storing instructions that, when executed by acomputing platform comprising at least one processor, a communicationinterface, and memory, cause the computing platform to: receive arequest to unmask masked information; unmask the masked information,resulting in unmasked PII; log the request to unmask the maskedinformation in an unmasking event log; send the unmasked PII in responseto the request to unmask the masked information; apply at least onemachine learning model to the unmasking event log to identify one ormore malicious events; and trigger one or more remediation actions basedon identification of the one or more malicious events, whereinidentifying the one or more malicious events comprises: identifying thata number of requests for the PII by a user computing device exceeds amedian number of requests for the PII by a predetermined number ofstandard deviations, wherein the requests are initiated by other usercomputing devices corresponding to users associated with a particularjob title and wherein a user of the user computing device may also beassociated with the particular job title.